What is AWS Control Tower?

What is AWS Control Tower?

April 27, 2020 / Eternal Team

AWS control tower is basically the easiest way to set up and govern a new, secure multi-account AWS environment.

In case you’re an association with different AWS records and groups, cloud arrangement and administration can be mind boggling and tedious, hindering the very advancement you’re attempting to accelerate. AWS Control Tower gives the simplest method to set up and oversee another, protected, multi-account AWS condition dependent on best practices built up through AWS’s experience working with a great many ventures as they move to the cloud. With AWS Control Tower, developers can arrange new AWS accounts in a couple of snaps, while you have significant serenity realizing your records adjust to your far reaching strategies. On the off-chance that you are building another AWS condition, beginning on your excursion to AWS, beginning another cloud activity, or are totally new to AWS, Control Tower will assist you rapidly with administration and best practices of the cloud.

Benefits

Quickly setup and configure a new AWS environment

Mechanize the arrangement of your multi-account AWS condition with only a couple of snaps. The arrangement utilizes diagrams, which catch AWS best practices for designing AWS security and the executives administrations to administer your condition. Diagrams are accessible to give character to the board, combine access to accounts, incorporate logging, build up cross-account security reviews, characterize work processes for provisioning records, and execute account baselines with organized setups.

Automate ongoing policy management

Control Tower provides mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), or detect policy violations using AWS Config rules. These rules remain in effect as you create new accounts or make changes to your existing accounts, and Control Tower provides a summary report of how each account conforms to your enabled policies.

View policy-level summaries of your AWS environment

Control Tower provides you with an integrated dashboard so you can see a top-level summary of policies applied to your AWS environment. You can view details on the accounts provisioned, the guardrails enabled across your accounts, and account level status for compliance with your guardrails.

How to configure AWS Control Tower

First you need to setup 2 things

  • Sign in to AWS Account
  • Create a IAM Role
    1. Create a new user
    2. Assign Administrators policy to the user

Configuring AWS Control Tower

Pre Requirements

The AWS account must be subscribed to the following AWS services

  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Elastic Compute Cloud (Amazon EC2)
  • Amazon SNS
  • Amazon Virtual Private Cloud (Amazon VPC)
  • AWS CloudFormation
  • AWS CloudTrail
  • Amazon CloudWatch
  • AWS Config
  • AWS Identity and Access Management (IAM)
  • AWS Lambda

Note

  • By default, all accounts are subscribed to these services.
  • The AWS account must not have an AWS Config aggregator already configured.
  • The AWS account must not have AWS Single Sign-On (AWS SSO) already set up.

There are mainly two steps to configure AWS Control Tower

  1. Create Your Shared Account Email Addresses
    • To set up your landing zone, AWS Control Tower requires two one of a kind emails that aren’t as of now connected with an AWS account. These email locations should each be a community oriented inbox, a mutual email representing the various clients in your venture that will accomplish explicit business related to AWS Control Tower.
      • Audit Account This account is for your group of clients that need access to the review data made accessible by AWS Control Tower. You can likewise utilize this record as the passageway for outsider devices that will perform automatic reviewing of your condition to assist you with auditing for consistency purposes.
      • Log archive account This account is for your team of users that need access to all the logging information for all of your managed accounts within managed OUs in your landing zone.
  2. Set Up Your Landing Zone
    • Step 1: Sign In AWS Account
    • Step 2: Navigate to Control Tower
    • Step 3: Verify the region you want to setup your landing zone
    • Step 4: Provide the email address
      1. Please verify email address should not be associated with any AWS accounts
    • Step 5: Verify the details and choose i understand
    • Step 6: Launch your control tower

Want to start a project?

It’s simple.

Contact us